ATG Personalization Programming Guide

Using Password Expiration

This section describes the features that allow you to force passwords to expire periodically or all at the same time.

The password expiration feature allows you to require users to change their passwords after a specified period of time, for example 90 or 120 days.

Enabling Password Expiration

Password expiration is disabled by default. Password expiration must be enabled to either require regular password changes, or force password expiration on all users.

To enable password expiration

Override or edit the properties file at /atg/userprofiling/ExpiredPasswordService and set enabled=true.

Add a change password JSP or JHTML page to your site. This is the form that users are redirected to when it is determined that their password is expired. This can be done using the ACC page template wizard.

Configure the ExpiredPasswordService.redirectPath property to point to the change password JSP/JHTML page you created.

Optionally, configure the ExpiredPasswordService.passwordValidForNumDays property to the value of the number of days a password remains valid.

ATG recommends that the change password page be completely static HTML. Once it has been determined that the user’s password has expired, all requests passing through the servlet pipeline are redirected to the URL in the redirectPath property. Any linked elements in the change password page, such as links to CSS files or images, must be explicitly set in the /atg/dynamo/servlet/pipeline/ExpiredPasswordServlet.localUrlsToAllow property in order for the page to render correctly. Note that you do not need to list page includes using dsp:include and jsp:include tags in localUrlsToAllow; these bypass the redirect. An example follows:

Password Expiration Process

After a user successfully completes the login process, the ProfileFormHandler calls the /atg/userprofiling/ExpiredPasswordService component to determine if the user’s password is expired.

This component adds the value of the passwordValidForNumDays property in the ExpiredPasswordService component to the profile’s lastPasswordUpdate. The result is the date through which the password is valid. If the lastPasswordUpdate value is null, it sets the property to 1/1/1970.

The component compares the result to the current date. If the current date is after the result, it marks the password as expired by setting a the passwordexpired session variable to true.

The ExpiredPasswordServlet checks the passwordexpired session variable. If true, it redirects the user to the change password form URL defined in the ExpiredPasswordService.redirectPath property.

When the user submits the change password form successfully, the passwordexpired session variable is set to false. The lastPasswordUpdate property is set to the current timestamp and persisted.

The user can then browse the site as usual.

If the user leaves the site before completing the change password form successfully, the session times out. The password expiration process is repeated the next time the user logs in.

passwordValidForNumDays + lastPasswordUpdate = 01/04/2005, which is before today’s date. The passwordexpired session variable is set to true for Jim’s profile.

Forcing All Passwords to Expire

As well as configuring passwords to expire individually according to the date of the last change, you can force all passwords in the profile repository to expire on the same date. To do so, set the forcePasswordUpdateTimeStamp property in the /atg/userprofiling/ExpiredPasswordService component to the date when you want the passwords to expire. The property is a timestamp that is set to 01/01/2000 by default. All users will be prompted to change their passwords the first time they log in after the specified date.

To expire all passwords immediately and force all users to change their passwords the next time they log in, set the value to the current date.

Setting the forcePasswordUpdateTimeStamp value to a date in the future schedules all passwords to expire on that date.

The examples below are all valid formats for specifying the property value:

04/23/2007 4:45

April 23 2007

April 23 2007 4pm

23 April 2007 16:45

Forced password expiration works as follows:

After a user successfully completes the login process, the ProfileFormHandler calls the /atg/userprofiling/ExpiredPasswordService component, which compares the forcePasswordUpdateTimestamp value to the lastPasswordUpdate property in the user’s profile.

If the force update value is after the last password update and before the current date, the password is marked as expired, and the process for having the user change the password is initiated. See the Password Expiration Process section for details.

The force update value is before the last password update, so the passwordexpired session variable is not set for Maria’s current session.

Notifying Users of Impending Expiration

You can include the PasswordExpiresSoon droplet on a page to notify users when their password is about to expire.

This droplet can be found and configured at /atg/dynamo/droplet/PasswordExpiresSoon. The displayCount setting determines how many times per session the password expiration notification is shown to the customer logging in.